Skip to content

Instantly share code, notes, and snippets.

@jonathaningram

jonathaningram/postmortem-on-garbage-jobs-posted-on-we-love-go.md

Last active May 28, 2019 08:11
Show Gist options
  • Save jonathaningram/5b334274d6bc91554687e64608322419 to your computer and use it in GitHub Desktop.
Save jonathaningram/5b334274d6bc91554687e64608322419 to your computer and use it in GitHub Desktop.
Download ZIP
Postmortem on garbage jobs posted on We Love Go
Raw
postmortem-on-garbage-jobs-posted-on-we-love-go.md

Postmortem on garbage jobs posted on We Love Go

The incident

Around 2019-05-27 04:12 UTC+10, 5 garbage job ads were posted on We Love Go’s website (https://welovegolang.com) and subsequently on its Twitter account (https://mobile.twitter.com/welovegolang).

One job ad in particular contained hateful language and I apologise to all of We Love Go’s users and Twitter followers for allowing it to occur.

Thank you to a few members of the We Love Go community for bringing the garbage jobs to my attention. I was also aware of them due to the notification email that I receive for each and every job that is posted.

The cause

It appears that these garbage jobs were posted by bots using We Love Go’s unauthenticated job posting form as opposed to using the relatively new (at the time of writing) authenticated forms. The unauthenticated job posting form allows for anyone to post a job without first having to authenticate with a valid user account. The reason that an unauthenticated form even exists is that We Love Go started out as a small side-project and user authentication was not a part of the first iteration.

When the authenticated process was introduced, it required users to login with a Google account in order to post a job. I did not want to exclude people and businesses that did not have a Google account and so I decided to leave the unauthenticated form as an option for those users.

Remediation and prevention

The garbage Tweets and jobs were deleted around 2019-05-27 05:13 UTC+10.

Around 2019-05-27 11:00 UTC+10 welovegolang.com was updated with the following changes:

  1. The unauthenticated form and process was removed. This means that jobs can only be posted by first signing in with a valid Google account and should stop bots from posting on the site. While this will not necessarily stop real users from posting garbage job ads, it should help.
  2. Content in job ads is now scanned for banned and offensive words.

Next steps

  1. Revisit the code that is checking for banned or offensive words and ensure that it is robust and is not returning false negatives that block genuine jobs from being posted.
  2. Consider whether jobs need to be explicitly approved by admin instead of allowing them to be automatically posted.
  3. Consider adding other forms of single-sign-on aside in addition to Google.

Final word

I love Go and if you’re reading this you probably love it too. I hope that We Love Go will remain a safe place for anyone in the Go community and that it continues to be useful to people and businesses who are using Go.

Sincerely,

Jonathan Ingram | We Love Go

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment